APPLE & BUSINESS ios ENTERPRISE SECURITY Apple have had an uphill battle getting into businesses for many years the Windows monopoly Phones provided another attempt Blackberrys and Windows Mobile were the rulers Need integration with Microsoft Exchange Server 1 2 ENTERPRISE NEEDS CONFIGURATION PROFILES Control over devices which access or store sensitive data Used to buy and set up devices for employees apply rules unable to install other programs strong passcodes remote lock remote wipe Centralised management updates and changes made from the organisation If BYOD there are extra problems users want to do things with their devices which may be unsafe installing 3rd party programs update programs without permission Used to manage the devices Administrator configures the settings many of the settings are the same you ordinarily see under Settings there is an iphone Configuration Utility (Mac or Windows) Can be installed over USB Sent via email Or hosted on a web server 3 4
MOBILE DEVICE MANAGEMENT (MDM) SYSTEM CONFIGURATION PROFILES Server used to manage a large number of devices Apple provides one in Server editions of Mac OSX up to medium sized organizations 3rd party solutions as well Another property list May be signed and encrypted (Cryptographic Message Syntax CMS) if sent over a network then should be encrypted Includes name and description of the profile creating organization a number of payloads these have the configuration data 5 6 CONFIGURATION PAYLOADS Removal password the password needed to turn off the configuration profile configurations can also be set with Never remove - have to clear the device to get rid of it Passcode policy is a passcode mandatory and how complex should it be (see figure 2.2) if there is no existing passcode or the existing one is not complex enough then the user is asked to set a new passcode (how does the policy know? I would have thought the existing passcode was only stored encrypted.) from ios Hacker s Handbook 7 8
email configures the user s email account Exchange configures the user s Microsoft Exchange account VPN specifies a VPN WiFi specifies a WiFi network APN specifies a particular mobile carrier web clip puts a web clipping on the home screen restrictions camera app store Siri YouTube Safari etc DISTRIBUTING THE PROFILES WITH THE IPHONE CONFIGURATION UTILITY Puts a root certificate authority in the keychain Each device connected over USB has its certificate created this certificate is then used to encrypt/decrypt the profiles can then use email or the web to send profiles 9 10 DISTRIBUTING VIA MOBILE DEVICE MANAGEMENT HOW MDM WORKS 3 components ios device organization s MDM server Apple s Push Notification Service (APNS) from ios Hacker s Handbook The MDM server tells the APNS to publish a notification (on a particular topic) devices have informed the APNS which topics they are subscribing to The notification is sent The device then establishes a connection to the MDM server over HTTPS Remote wiping can be initiated by MDM, Exchange, or icloud. 11 12
ENTERPRISE APPS THE KILL SWITCH & HARDWARE MODIFICATIONS An enterprise provisioning profile can be loaded along with the configuration profile then the in-house enterprise apps can be distributed over the air or through MDM enterprise provisioning profiles have to be renewed annually The kill switch worries some companies what if Apple wants to shut our apps down? Some companies don t trust software restrictions rather than rely on configuration profiles to turn cameras off etc. e.g. companies can purchase ipads without cameras or wifi 13 14 THE PASSCODE BYPASS BUG SUMMARY http://www.macrumors.com/2013/02/14/ios-6-1-bug-enables-bypassing-passcode-lock-to-access-phone-and-contacts/ February 2012 - ios 6.1 1. Lock device 2. Slide to unlock 3. Tap emergency call 4. Hold sleep button until the power down prompt shows. Click cancel, you will notice the status bar turn blue. Type in 911 or your emergency number and click call then cancel it asap so the call dosen t go through. 5. Lock your device with the sleep button then turn it on using the home button. 6. Slide to unlock then hold the sleep button and in 3 seconds tap emergency call. This will spazz out the phone and cause it to open. [Make sure to continuously hold the sleep button until you are done looking in the phone] It only provided access to the phone function Enterprises need to have control over devices which connect to their systems Configuration profiles can be installed on devices to enforce policies and manage restrictions These can be distributed via MDM systems 15 16
RESOURCE A good place to get an overview of all the topics I have covered so far http://www.apple.com/iphone/business/it-center/security.html also look at the links on this page 17